CVE-2025-43855 is a high-severity vulnerability affecting the tRPC library versions from 11.0.0 up to but not including 11.1.1. tRPC is a framework that enables developers to build and consume fully typesafe APIs without requiring schemas or code generation. The vulnerability arises from an unhandled exception triggered during the validation of invalid connection parameters (connectionParams) in the WebSocket server implementation of tRPC. Specifically, when a client attempts to establish a WebSocket connection with malformed or invalid connection parameters, the server throws an uncaught exception, causing the WebSocket server to crash. This crash leads to a denial of service (DoS) condition. The vulnerability affects any tRPC 11 server that has WebSocket enabled and uses a createContext method, which is common in many implementations to provide contextual data per request. Importantly, exploitation requires no authentication or user interaction, making it trivially exploitable by any unauthenticated attacker who can reach the WebSocket endpoint. The issue has been addressed in tRPC version 11.1.1, where proper error handling for invalid connection parameters was implemented to prevent server crashes. The CVSS 4.0 base score of 8.7 reflects the high impact on availability due to the server crash, combined with the ease of exploitation (network vector, no privileges or user interaction required). No known exploits are currently reported in the wild, but the vulnerability presents a significant risk for denial of service attacks against affected tRPC WebSocket servers.

For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against backend services using tRPC with WebSocket enabled. Such a DoS could disrupt critical API services, leading to downtime, degraded user experience, and potential cascading failures in dependent systems. Organizations relying on real-time or interactive applications using tRPC WebSocket connections—such as financial services platforms, e-commerce, or public sector digital services—may face service interruptions. The vulnerability does not directly compromise confidentiality or integrity but can cause significant operational impact and potential reputational damage. Additionally, attackers could use this vulnerability as a vector to distract or mask other malicious activities. Given the ease of exploitation and lack of authentication requirements, attackers could launch automated attacks at scale, affecting multiple organizations simultaneously. The absence of known exploits in the wild currently provides a window for mitigation before widespread exploitation occurs.

European organizations should immediately audit their use of tRPC, specifically checking for versions >= 11.0.0 and < 11.1.1 with WebSocket enabled and createContext methods implemented. The primary mitigation is to upgrade all affected tRPC instances to version 11.1.1 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should consider implementing WebSocket connection filtering to validate and block malformed connectionParams at the network or application gateway level. Rate limiting and IP reputation filtering on WebSocket endpoints can reduce the risk of automated exploitation attempts. Additionally, implementing robust monitoring and alerting on WebSocket server crashes or restarts can provide early detection of exploitation attempts. Organizations should also review their incident response plans to handle potential denial of service incidents and communicate with stakeholders about possible service disruptions. Finally, developers should adopt secure coding practices to handle exceptions gracefully and avoid server crashes from malformed inputs.